Researchers from WatchTowr have published technical details of a detection script which can be used to identify exploitation of the CitrixBleed 2 vulnerability.
The flaw, tracked as CVE-2025-5777, is a critical out-of-bounds read (CVSS score: 9.3) affecting Citrix NetScaler ADC and Gateway devices version 13.1 before 13.1-58.32 and 14.1 before 14.1-43.56.
When exploited, it allows attackers to bypass authentication mechanisms, including multifactor authentication (MFA), and hijack user sessions.
It was disclosed by Citrix on June 17 alongside CVE-2025-5349, an access control issue.
On June 26, ReliaQuest published a report in which it claimed “with medium confidence” that attackers are actively exploiting CVE-2025-5777 to gain initial access to targeted environments.
WatchTowr, a company known for publishing proof-of-concept (PoC) exploits, initially stated it would refrain from releasing technical details for the CitrixBleed 2 exploit. The main reason for this was that the company observed “a significant portion” of Citrix Netscaler devices that had still not been patched.
However, the WatchTowr later stated that information sharing, such as indicators of compromise (IoCs) and exploitation artifacts, had been minimal, leaving Citrix NetScaler users struggling to assess whether they needed to raise internal alerts.
The company’s researchers released a detailed analysis to help detect CitrixBleed 2 in a report published on July 4.
WatchTowr said it released the analysis to “ensure it’s not just the ‘bad people’ who can identify a vulnerable appliance.”
Speaking to Infosecurity, Andrey Lukashenkov, head of revenue at the vulnerability intelligence firm Vulners, confirmed that, while it “probably can be repurposed to exploit,” the WatchTowr analysis if “not an off the shelf exploit.”
Additionally, WatchTowr said the researchers released “reproducers that don’t act as weaponized PoCs but will allow confident, evidence-based determination of whether a target Citrix Netscaler appliance is vulnerable.”
These include a “no-detection artefact generator,” a tool designed to help defenders test and improve their detection capabilities by generating benign or simulated attack artifacts that mimic real threats but are not inherently malicious.
Here is a breakdown of the attack execution process for exploiting CitrixBleed 2 according to WatchTowr:
- Malicious request submission: The attacker sends a carefully constructed HTTP POST request to the Citrix Gateway login endpoint, altering the login parameter in a way that exploits a memory management flaw
- Server response with sensitive data: The server responds with an XML response that contains a specific tag. If the system is vulnerable, this tag may expose uninitialized memory contents due to improper handling
- Session token extraction and exploitation: By repeatedly sending these requests, the attacker can leak sensitive session tokens stored in memory. If successful, this could allow session hijacking and MFA bypass, granting unauthorized access
No tags.
